I will get my stuff pulled out and try to supply them today.. they are large
because of all the hosts and VPN's.. I will reduce alot of it just around
specifics.
Regarding the other reply of from staffsegments in same location here is a
basic design
BSD 3.8
5 Network cards
1 private segment where backend exchange is
1 DMZ segment where front end exchange is
1 Staff segment
1 External interface
1 pfsync interface not currently used
All my branches then VPN back to this location VIA isakmpd and have full
access to Staff segment and then full access to both front end and backend
exchange
I, sit on the staff segment in this location with the 5 network cards, also
the physical location of the exchange systems, thus, I don't use the VPN, I
would just follow the PF rules.
This works 100% for me in this situation, it just fails bad for the
locations that depend on the Tunnels
Hope that clears that one up.
Regarding mtus, I was thinking the same as no locations work to this and
there was complaints that other Microsoft ports were not working across the
vpn to this location for shares
More to follow as I need to get access and clean up these files.. the PF
rule base is approx 11 pages, the ISAKMPD file is just huge with 200 tunnels
being created.
James
----- Original Message -----
From: "Steven S" <[EMAIL PROTECTED]>
To: "'James Mackinnon'" <[EMAIL PROTECTED]>; <misc@openbsd.org>
Sent: Tuesday, January 17, 2006 12:53 AM
Subject: RE: PF config for exchange
[EMAIL PROTECTED] wrote:
...
All branches have VPN tunnels back to central location and
the firewall rules
have a pass quick over the VPN tunnels
On the main location I have a
pass quick log inet from <staffsegments> to <exchangeservers>
keep state
I also have a
pass quick log inet from <exchangeservers> to <staffsegments>
keep state
...
I have looked over the tcpdumps and I didn't see any blocks
From within the same location on the Staffsegment off of this
same firewall it
works fine. I would be using the same rules as the remote
branches so it makes
me think its something with the tunnels but not really sure
at this point
Any direction would be great.. For now, I had to back out and
put junkpoint, I
mean checkpoint in place.
Are you logging all blocks (at both locations)?
Is traffic leaving the VPN from the remote location through the VPN to the
exchange server (as viewed with tcpdump)?
Do you have any idea where traffic is being blocked/stopped?
Can you ping the exchange servers from the staff segment?
Is name resolution working(DNS/WINS) for staff segment?
Try "ping exchange" and "nbtstat -a exchange" or whatever the
exchange server is called.
You might wish to post your sanitized pf.conf and isakmpd.conf. Also, I'm
not sure what "From within the same location on the Staffsegment off of
this
same firewall it works fine." means. But that could be just me.
-Steve S.
